Merge pull request unrealhoang#8 from huytd/patch-2

[Security Fix] Prevent XSS on scoreboard
Vuta · Sep 15, 2021 · ff15542 · ff15542
2 parents 7f47807 + 41ab245
commit ff15542
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/spectator/index.js b/spectator/index.js
@@ -175,14 +175,20 @@ connect(function (json) {
         }
 });
 
+function sanitizeHTML(text) {
+  var element = document.createElement('div');
+  element.innerText = text;
+  return element.innerHTML;
+}
+
 function draw_scoreboard(scoreboard) {
         var sorted_players = Object.keys(scoreboard).sort(function (a, b) { return scoreboard[b] - scoreboard[a] });
         var tableHtml = "<tbody>";
 
         for (let i = 0; i < sorted_players.length; i++) {
                 const player_id = sorted_players[i];
                 const player_score = String(scoreboard[player_id]).padEnd(3);
-                const team_name = team_names[player_id];
+                const team_name = sanitizeHTML(team_names[player_id]);
                 tableHtml += `
             <tr class="rank-${i + 1}">
               <td class="rank">${i + 1}</td>